Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OWASP Assignment
The Open Web Application Security Project, or OWASP, is an international nonprofit
charitable organization set on improving the security of software. Their main goal is to provide
impartial (unbiased) and practical information about application security (AppSec) to all
individuals and groups, including corporations, universities, government agencies and other
organizations, worldwide, in order to help them make informed decisions concerning software
security. In order to provide the information for software security, the OWASP community
builds documents, tools, teaching environments, guidelines, checklists, and other materials to
organization, meaning that everyone is free to participateeven their website is maintained like
that of a Wikipedia page, using over 45,000 participants of global volunteers to review changes
to help ensure quality. Their website is not the only aspect of their organization that is
wide-open. The use of all their materials, though vendor neutralthey dont recommend or
endorse commercial products or servicesare available to the public under a free and open
software license. A free and open software license means that it can be freely used, modified,
and shared, as approved by the Open Source Initiative (OSI), not to be confused with the Open
Systems Interconnection model, whose acronym is also OSI. The core values of the Open Web
Application Security Project are open, innovation, global, and integrity. Open refers
to OWASP intending for everything about them to be radically transparent from their finances to
their code. Innovation refers to the encouragement and support of innovation and experiments
for solutions to software security challenges. Global refers to OWASP encouraging anyone
Katherine Bongat Kyle Lockley Trevor Touchet 2
around the world to participate in the OWASP community. Lastly, integrity refers to OWASP
Sensitive Data Exposure is what happens when you dont properly keep your sensitive
data concealed behind firewalls and encryptions. Any credit card information, social security
numbers, phone numbers, addresses, passwords, and logins are many of the possible types of
data that could be used maliciously if left out in the open. Leaving this information unencrypted
can leave your company and your employees vulnerable to identity fraud, credit card, and
possible hacking.
The first step to protecting your sensitive data is to encrypt it, which masks the data to the
naked eye and cannot be viewed properly without the key to the encryption. The next step would
to not store any unnecessary data that you dont need. For instance, if you dont need someones
social security number, dont store that information anywhere. You cant have information
stolen that you dont possess. Another tip is to properly keep your keys in a safe place, and
never share them with anyone you do not trust, as well as passwords. With passwords you need
to store them with a specific algorithm specially made for password protection such as scrypt or
PBKDF2. One last thing to do would be disabling autocomplete and caching to prevent any data
remnants to appear on forms from previous data entries. By taking all of these steps to protect
your data, you eliminate all the easy ways of getting free data. Simply taking these preventive
measures shuts the door on anyone peering into your servers trying to find anything they can use
against you. Encryption will keep anyone out who doesnt have the proper keys to decrypt, and
keeping strong passwords will shield your system from people trying to guess their way in.
Katherine Bongat Kyle Lockley Trevor Touchet 3
The second item in OWASPs top ten privacy risks is known as operator-sided data leakage.
This essentially means that data that has been entrusted to be stored with a third-party has been
compromised while in possession of the third-party. For example, millions of users had given the
organization Yahoo information for storage such as names, addresses, phone numbers, and the
like. When Yahoo was hacked and the attackers stole a large amount of this user data,
operator-sided data leakage had occurred. While there isnt a surefire way to prevent another
organization from losing a customers data in a breach, certain steps can be taken to reduce the
likelihood of becoming a victim of this privacy risk. First, before committing data to a certain
operator, conduct research on the operator to ensure they have a good reputation and reliability.
Things to consider when evaluating an operator can include: how many, if any, breaches have
occurred in the past, whether or not the provider proves that they are proactive in securing their
users private data, and what standards the operator follows or what certifications they possess.
Next, after an operator has been chosen, they should be continually audited to ensure good
privacy practice are still in place. Acceptable audits can be paper-based or interview-based,
however on-site audits with system checks would be the best. Aside from ensuring the operator
is doing its best to secure the private data they are storing, certain steps can be taken by the
customer to ensure, in the event of a breach, nothing of extreme value will be lost. The first and
most obvious measure to simply not entrust the provider with storing any sensitive information.
If classified data must be given to the operator, the customer can first perform encryption,
anonymization, or pseudonymization on the data, the only downside being increased overhead